BRPI0707691A2 - Method and apparatus for controlling the number of devices installed in an authorized domain - Google Patents

Abstract

METHOD AND APPARATUS TO CONTROL THE NUMBER OF DEVICES INSTALLED IN AN AUTHORIZED DOMAIN. The number of devices installed in an Authorized Domain is controlled by a master device functionality. This master device stores ceiling values for the total number of devices to be installed in the AD, the total number of devices to be installed in a local proximity to the master device and the total number of devices to be installed remotely from said master device. The master device also stores current values of the Local count number of devices installed in AD in local proximity to the master device and the Remote_count number of devices installed in AD remotely from said master device. When a new device is to be installed in the AD, the ceiling values are checked against the current values and it is checked whether the device is in local proximity to the master device to authorize its installation in the AD, either locally or remotely. .

Description

"METHOD AND APPARATUS FOR CONTROLING THE NUMBER OF DEVICES INSTALLED IN AN AUTHORIZED DOMAIN"

Field of the invention

The present invention relates generally to the protection of content in communication networks and, more particularly, to the management of the Authorized Domain.

Background of the invention

The notion of Authorized Domain (AD) has recently been defined as a set of devices belonging to elements of the same household to receive, store or consume content. In this context, residence should not serve as a single location (the main house). An Authorized Domain may actually include devices located in a vacation home, in a car, or even portable devices.

Figure 1 illustrates an example of Authorized Domain 1 comprising a set of devices located in main house 2: a digital television 21, a personal computer 23, a game console 24, and a storage unit 22; another digital television 31 located in a second house 3, mobile devices such as a personal digital assistant 41 and a portable player 42 that can be brought out of the house and a mobile device 51 located in a car 5 (e.g., video player portable). Content can be passed to Authorized Domain devices in a number of ways: it can be widespread content received via an antenna 6 eg it can be broadband on-demand content received over an open network such as the Internet 7 it may be content stored in a medium such as optical 8.

Several groups (for example, the TV-Anytime or DVB-CPT forum - DVB organization's digital video broadcast content protection subgroup) have worked in the past years on the notion of Authorized Domain. Implementation solutions have also been proposed by the industry such as the SmartRight ™ proposal (information can be found at www.smartright.org).

Within an Authorized Domain, devices are often distinguished depending on the role they play in content. In the SmartRight ™ system, for example, content enters the Authorized Domain through an access device (also called a purchasing device), it is stored within a storage entity and consumed or exported by a presentation device. Similar functional entities are defined in the DVB-CPCM system ("CPCM" meaning "content protection & copy management), currently specified by the DVB-CPT and are illustrated in Figure 2.

In Figure 2, an input content 110, passed by a content provider, enters an Authorized Domain 100 through an acquisition point 101. This entity performs some actions on the input content to obtain a content 120 specific to the content. Authorized Domain. This AD 120-specific content can be stored within the Authorized Domain by a storage entity 102 for later consumption. It can be processed by a processing entity 103 (for example, to perform a compression to transfer the content to a low resolution device). Finally, this specific AD content can be consumed through a consumption point 104 where the content is transmitted (eg, in the form of sound and images) to a user to obtain what is called a consumed content 130. The AD specific content it may also be exported through an export point 105 to obtain exported content 140 that is no longer protected by Authorized Domain rules and preferably protected by another system. Of course, it is possible to implement two or more of the above features in a single appliance (for example, a frequency converter box having an internal hard disk drive that is both an acquisition point and a storage integrated digital television with an analog output is a consumption point and an export point).

It should be noted that specific AD content is linked to the Authorized Domain in which such content is taken, if such a link is required by the content provider (in the attached use rights in the input content, for example). This means that such AD-specific content may be consumed at each Authorized Domain consumption point, but may not be consumed on any different Authorized Domain device.

Managing the Authorized Domain is very important, therefore, to limit the size and / or extent of the Authorized Domain. Users would actually have an interest in an unlimited Authorized Domain in order to be able to share their content with others, but content providers require that the size of an Authorized Domain be limited to the needs of their users. elements of a single residence only.

A basic solution would be to limit the total number of devices within an Authorized Domain, but it is difficult to estimate the 'normal' number of devices for a single residence. Also, counting only the number of devices would have undesirable side effects. For example, two storage entities of 1 Mbyte each (eg USB keys) would be counted as two devices whereas an IOGbytes storage entity (eg hard disk drive) would only count for one device.

There is therefore a need for a secure solution to limit the size / extent of an Authorized Domain that was transparent and unnoticed by most honest users, but prevented dangerous users from misleading it.

Summary of the invention

The invention is directed to a method for controlling the number of devices installed in an Authorized Domain containing at least one master device, the master device being capable of storing ceiling values for: - the total Total_limit number of devices to be monitored. installed in the Authorized Domain,

- the total Local_limit number of devices to be installed in close proximity to the master device, and

- the total number Remote_limit of devices being remotely installed from said master device;

The method comprising the steps, when the master device receives a request to install a new device, from:

check that Total_limit has not been reached and if positive, verify that the new device is in close proximity to the master device and

if the new device is verified to be local, check that Local_limit has not been reached before allowing local installation,

In case it is verified that the new device is remote, check if Remote_limit was not reached before allowing remote installation.

According to particular embodiments of the invention:

- Local_limit ceiling value is higher than Remote_limit ceiling value,

- Total_limit ceiling value is greater than sum of Local_limit and Remote_limit ceiling values.

According to another embodiment, the master device is furthermore capable of storing current values of the Local_count number of devices installed in the Authorized Domain in close proximity to the master device and the Remote_count number of devices installed in the Authorized Domain remotely from said master device, and the method also comprises, if it is found that the new device is local and if the Local_count number is equal to or greater than Local_limit, a verification step if the number of devices installed in the Domain Authorized, and which are currently connected in close proximity to the master device, is greater than a predetermined number of the Local_count number, where the new device is locally installed if said verification is positive.

According to other particular modalities:

- Local_count is incremented when the new device is installed locally, or Remote_count is incremented when the new device is installed remotely,

- Local_count or Remote_count are incremented only when the new device is capable of consuming / exporting content,

- Local_count or Remote_count are incremented by one unit when the new device is able to consume and export content,

- when a device that has been remotely installed in the Authorized Domain is found to be in close proximity to the master device, then Local_count is incremented while Remote_count is decremented,

The method also comprises a step of dividing the functionality of the master device between two apparatuses, said step of dividing comprising dividing the values Detect Total_limit, Local_limit and Remote_limit and the current values Local_count and Remote_count being between the two master devices.

The invention is also directed to an apparatus having master device functionality for controlling the number of devices installed in an Authorized Domain, comprising:

a memory capable of storing ceiling values for the total number Total_limit of devices to be installed in the Authorized Domain, the total number Local_limit of devices to be installed in local proximity as master device, and the total number Remote_limit of devices to be installed remotely from said master device,

the memory being able to store current values of the Local_count number of devices installed in the Authorized Domain in close proximity to the master device and the Remote_count number of devices installed in the Authorized Domain remotely from said master device and device to implement the method to control the installation of new devices in Authorized Domain as previously described.

Brief Description of Drawings

The various aspects of the present invention and their preferred embodiments will now be described, by way of example only, with reference to the accompanying drawings in which:

Figure 1, discussed here above, illustrates an example of a typical Authorized Domain,

Figure 2, previously described, illustrates the different types of devices in an Authorized Domain,

Figure 3 schematically illustrates a block diagram of a particular device called a master device,

Figure 4 illustrates messages exchanged between a new device to be installed in an Authorized Domain and a master device of that AD, as well as with other devices of that AD in a particular example of the local installation,

Figure 5 and Figure 6 illustrate state diagrams respectively of a new device to be installed in an Authorized Domain and a master device of that Authorized Domain.

Description of preferred embodiments

In an Authorized Domain managed according to the invention, three different size counts are handled:

- one (Local_count) for the number of devices installed within the location,

- one (Remote_count) for the number of devices installed from a remote location, and

- one (Total_count) for the total number of devices installed in the Authorized Domain (this Total_count is actually the total of the two previews).

Preferably, only devices performing consumption point or export point features are considered for these counts.

These counts are maintained by a master device that is the only device capable of installing consumption and export points in the Authorized Domain. Acquisition points, storage entities, and processing entities can be installed by any Authorized Domain device.

Master device functionality can be implemented on any device in an Authorized Domain and is preferably implemented on a single AD device. A master device is a device 200 as shown schematically in Figure 3 which contains a secure processor (CPU 201) and a secure memory 202. Security (which is symbolized by a dotted line rectangle in Figure 3) of these components can be implemented using a smart card or TCPA-type platform (TCPA meaning "trusted computer platform alliance"). Obfuscation techniques also exist for both ensuring memory and processing. These techniques can be used alone or in conjunction with smart cards or TCPA. Secure memory 202 is capable of storing Local_count and Re-mote_count for the Authorized Domain to which the master device 200 belongs. Total_count is also stored in one mode in secure memory 202. Alternatively, Total count is not stored as a separate memory count 202, it is deducted from the two other counts however it is necessary to check the total number of devices installed in AD CPU 201 is capable of executing a program by implementing a method that will be explained later in order to control the size / extent of the AD.

Master device 200 also comprises a network interface 203 for connecting, permanently or temporarily, to a home network and / or an open network for communication with other AD devices. The 203 network interface is capable of implementing well-known wired and / or wireless transmission protocols such as IP, IEEE 1394, or 802.11b. The master device 200 also preferably comprises a user interface 204.

The notion of local or remote location of a device is defined with respect to the master device. For example, in the Authorized Domain shown in figure 1, if the master device is PC 23, then DTVl 21 which is a point of consumption type will be counted in Local_count while DTV2 31 will be counted in Remote_count stored in master device 23. As for portable player 42 which is another type of consumption point, it will be considered as local (and counted in Local_count) if it was local to master device. 23 at the time of your enrollment in AD. This does not prevent the handheld from being used later outside the main residence. positives which are preferably remote from each other.

For each of the three previously mentioned counts, an upper limit is also set and stored in the master device. These limits are such that:

- Total limit is high (a normal user will never reach this limit),

- the limit for remotely installed Remote_limit devices is low (in order to control remote installations),

- the limit for installed local devices Lo-cal_limit is reasonable and

- The addition of Remote_limit and Local_limit must be well below the total limit.

When a request to install a new device in an AD is received by that AD master device, the following rules apply:

If Total_count has reached Total_limit, then installation is declined.

If the new device is remote and Remote_count has reached Remote_limit, the installation is refused.

If the new device is local and Local_count is equal to or greater than Local_limit, then a number test is performed. This test consists of checking the number of AD devices that are currently connected within proximity of the master device. For this purpose, the master device broadcasts a message on the network to which it is connected and only replies coming from devices of this AD located near the master device will be accepted. The number test passes only if the number of accepted responses represents a certain number of Local_count. If the test fails, the installation of the new device is refused. Alternatively, the number test may be based on a certain Total_count number.

In all other cases, the installation of the new device occurs. Total_count is incremented. If the new device is in close proximity to the master device, Lo-cal_count is incremented as well, otherwise Remo-te_count is incremented.

The Total_limit, Remote_limit, and Local_limits ceilings are determined by an independent authority that decides which numbers are reasonable for 'normal' users. These limits are inserted into all devices that may possibly act as master devices, preferably during manufacture. The independent authority also defines rules for authorizing agents (for example, software module on a device or specific users), once authenticated, to update these ceilings. In the event that a user is affected by one or more of the ceilings, that user may request the authenticated authorized agent to increase one or more ceilings.

It should be noted that the same functionality can be transferred from one device to another AD device. This transfer should preferably only be possible locally or the number of remote transfers should be limited. In such a case, the current counts and the ceilings must also be transferred to the new master device.

In the event that a home user decides to relocate a device from the Authorized Domain (for example, to sell it or lend it to a user outside that home), Local_count or Remote_count will be decremented depending on the location. removed device detected by the master device and Total_count will also decrement. In the event that a device is lost or stolen, it is no longer able to exchange messages with the master device, and therefore it is no longer able to perform proximity testing (used to detect a device location as explained below). later) with the master device. In this case, we prefer to decrement Local_count instead. 0 Total_count is also decremented. Note that if the relevant count (Remote_count or Local_count) is already 0, the other count will be decremented.

In one embodiment of the invention, a mechanism (which is detailed later in the description) is provided for balancing Local_count and Remote_count again if, for example, a remotely installed device is found to be local (for example, a portable player brought during first installed remotely from the master device and then connected to the home network of the main house).

As mentioned earlier, it is also possible to divide master functionality into two (or more) to get two or more master devices in an Authorized Domain. In this case, the three Local_count counts, Remo te count and Total_count, as well as the Local_limit, Remo te limit and Total limit ceilings must also be split between the master devices. For example, adding Local_countle Local_count2 from two master devices after splitting should equal Local_count from a previous single master device. The balance of counts between master devices can be decided automatically (for example, equally shared between master devices) or it can be decided by the AD user by executing the master device division. An upper limit is preferably set to the number of master functionality divisions and is stored, with the other counts and ceilings, in a secure memory of the master device.

In an alternative embodiment, it is not necessary to split the Total_limit ceiling when other counts and ceilings are split. Also, it should be noted that, contrary to the transfer of master functionality that is limited to remotely transferred or may be restricted to local transfers, it is preferable to allow the division of master functionality between remote devices. The split is mainly interesting to allow the user to have a master device in each of the AD's location.

In Figure 4, we show an example of installing a new device 300 into an Authorized Domain already having a master device 302 and other 304 devices installed. When connecting on a home network, a new device 300 broadcasts in one step 306 a master request message on the network requesting a master device to respond. Other devices on the network respond only if they are masters. In Figure 4, we assume that master device 302 received the master request message. The master device then checks step 308 for the value of Total_count. If the Total_count is smaller than the Total_limit ceiling, then the master device triggers step 310 a proximity test with the new device to know if the new device is to be counted as a local device or as a remote device with respect to the location of the master device.

Proximity testing preferably uses a method for reliably measuring the time-based distance between two devices disclosed in European Patent Application 05 300 494.1 filed June 20, 2005 by the applicant of the current European patent application. . To this end, the master devices 302 send a series of ping commands 312 to the new device 300 and await ping responses 314. For each received response 314, the master device calculates a distance based on in the associated time called travel time (RTT). If the master device gets an RTT less than a given limit (eg 7 ms), it assumes that the new device is in its local proximity and it sends an additional message (not shown in figure 4) to the new device requesting data from it. authentication (as explained in the above mentioned patent application). Authentication data sent by the new device in response to this request is verified by the master device to verify the source of the ping responses used to calculate the RTT. If all of these checks by the master device were successful, the new device is considered to be local. Otherwise, the new device is considered remote.

If the new device is remote, the same device checks Remote_count. If Remote_count is smaller than Remote_limit, then the master device proposes a remote installation for the new device. Otherwise (Remote_count greater than or equal to Remote_limit), the master device sends a message to the new device indicating that the installation is refused.

If the new device is local (as is the case in the example of Figure 4), the master device checks (step316) Local_count. If Local_count is smaller than Lo-cal_limit, then a local installation is proposed for the new device. In the event that Local_count is greater than or equal to Local_limit, the master device triggers a number test with other devices on the network (step 318 in Figure 4): it first broadcasts a discovery message 320 on the network. This discovery message preferably contains a random number R (generated or obtained by the master device) and an AD_ID Challenge Authorized Domain identifier. Each Authorized Domain, once established, has a unique AD_ID identifier known to all installed AD devices.

When other AD devices 304 receive the discovery message, they respond with messages 322 containing their own Device_ID identifier and randomization data calculated at random number R and their own Device_ID identifier using a secret key. Preferably, the authentication data is calculated using the HMAC-SHA1 function and an ADD Authorized Domain secret key. In an Authorized Domain, all installed devices usually share a specific secret key for AD: AD_key. Alternatively, a session key established on a secure authenticated channel (SAC) and shared between the master device and the device 304 by calculating the reply message 322 may be used to calculate the authentication data.

Master device 302 then checks the validity of incoming responses (verifying authentication data in messages 322) to ensure that it has only received responses from Authorized Domain devices and checks (step 324) that the number of correct responses is sufficient to pass the test. Number For example, if the reason for the number is half the number of local devices (ie Local_count / 2) must be present. Therefore, it is verified at step 324 that the number of correct responses received is greater than Local_count / 2. If this check is successful, master device 302 begins at step 326 a proximity test with each other device 304 having correct responses sent 322. This proximity test is performed as previously explained: ping commands 328 are sent from master device for each other device considered 304 and ping responses 330 are received from each other device and checked on the master device with authentication data.

The master device then counts all devices that passed the proximity test (that is, those that are in their local proximity) and checks (step 332) that this number is greater than the number required for the number (ie is larger than Local_count / 2 with the example above). If the number test has passed (as in the example shown in figure 4), the master device proposes a local installation (step 334) for the new device. Otherwise, the master device sends a message to the new device signaling that the installation is declined.

When the new device receives a proposal to install one or more masters (in this case the master functionality is split between two or more devices), the user is asked to select a proposal (step 336), with a preference for the master (s). master (s) proposing a local installation. The new device then sends an install request (step 338) to the chosen master device and the installation process begins (updating the master device counts, sending the AD_ID identifier, and possibly the AD_keydomain domain secret key. the new device that becomes a domain device, etc.)

We will now explain with reference to Figure 5 the Authorized Domain size management protocol from the point of view of a new device requesting to be installed in AD.

The device is primarily in a 'new device' state 400. From this state, it will broadcast a master request message 401 when it is first connected to a home network. Next, it begins 402 a Tv interval and waits 403 for the predetermined Tv time. During this wait, if the device receives a proximity test request (in the form of "ping" commands, for example), it performs proximity test 4 05 with the master device having sent the request and returns it to the device. wait state 403. It is to be noted that multiple proximity tests may be performed prior to interval expiration if multiple master devices respond to the request for a demonic message. When the predetermined Tv time has expired 406, the device checks 407 if it has received any response from a master device. If a response has been received 408, the device checks 409 if a local installation proposal has been received. If no local installation has been proposed410 by a master device, then the device checks411 if a remote installation proposal has been received. No remote installation has been proposed 412, this means that the device only received negative responses (installation refused) from the master device (s) and responded to its master request message. In this case, the user should preferably be informed (via a device user interface) of this failure and the device returns to the 'new device' state 400.

If a 413 remote installation or a 414 local installation has been proposed for the device, it will let the user select one of the 415 proposals and perform an installation protocol with the master device having sent the installation proposal to enter the state. Alternatively, an automatic selection may be made in case the device has no user interface.

In the event that no response has been received 418 after the Tv interval expires, the device proposes for the user to create a new network. If the user agrees, device 419 randomly chooses an AD_key and initializes the counts (Local_count = 1; Remote_count = OeTotal_count = 1) before entering 'master device' state 420.

Referring to Figure 6, the Authorized Domain size management protocol from a master device point of view will now be explained. This protocol preferably runs on the secure processor of the master device.

The protocol begins from the 'master device' state 500 when the master device receives a master request from a new device requesting to be installed on the Authorized Domain. The master device compares first 502 the Total_count with the Total_limit ceiling. In the event that Total_count is greater than or equal to Total_limit, the master device 504 sends a message to the new requesting device to inform it that the installation is refused and it returns to the 'master device' state. 500

In the event that Total_count is below the To-tal limit, the master device begins a proximity test with the new device as previously explained.

If no response is received from the new device prior to the expiration of a predetermined time Tv 508, it is considered that the new device is remote. In the event that at least one response is received from the new device during the proximity test, 510 is checked if the new device is re-motorcycle (512) or local (514). If the new device is remote, Remote_count is checked 516. If Remote_count is down from the Remote_limit ceiling, a remote installation proposal is sent 518 to the new device. Otherwise, (Remove count equal to or greater than Remote_limit), an installation denial message is sent 504 to the new device and the master device returns to the 'master device' state 500.

If the new device is local, Local_count is checked 520. If Local_count is below Local_limit, a local installation proposal is sent 522 to the new device. Otherwise (Local_count equal to or greater than Local_limit), the master device starts 524 a number test by broadcasting a discovery message on the network and starting an interval Τ. The master device then waits 526 for a predetermined time T. During this wait, if a response is received 528 by any other device, the master device 530 verifies the authentication data (for example, a message authentication code calculated using HiyiAC-SHAl as previously explained) in reply message to verify that the reply was sent by a device belonging to the Authorized Domain. If this check fails, the reply message is ignored 532 and the master device returns to standby state 526. If the verification 530 is successful, the reply message is counted 534 as correct and the master device returns to the state of wait 526.

When the predetermined time T has expired536, the number of correct reply messages received is compared to 538 with the number required to pass the test. If the number is, for example, half of Total_count, 538 is checked if the number of correct messages is greater than Total_count / 2. In a preferred alternative embodiment, the number required to pass the test is half of Lo-cal_count. If this check fails, a re-install message is sent 504 to the new device and the master device returns to the Misprivate Master '500 state. Otherwise, (check successful 538), a proximity test is performed. 540 with each device having sent correct response messages. At the end of these tests, only devices in local proximity with the master device are counted to check the number 542 (that is, if the number of local devices is greater than Total_count / 2 as indicated in Figure 6, or in alternative mode, greater than Local_count). /2). If the number test is finally successful, a local installation proposal is sent 522 to the new device, otherwise an installation refusal message is sent 504.

When a remote installation proposal 518 or a local installation proposal 522 has been submitted, the master device begins another Tw interval and waits for 544 responses from the new device. When the pre-terminated time Tw has expired, the master devices check 545 if any response requesting installation has been received from the new device. If an install request has been received, it runs 548 the install protocol as a new device; otherwise, the master device returns to master device state '500.

An example of ceiling values for an Authorized Domain is provided below:

- Total_limit: 20 devices

- Local_limit: 6 devices

- Remote_limit: 2 devices

- Upper limit on the number of domestic divisions: 2.

Two authorized remote installations (together with two authorized master divisions) allow users to have a master device in their principale home in two other homes. In this type of Authorized Domain, mobile devices (including car devices) may be locally installed in either location.

With the above values, an example of the division would be as follows. We assume that one time during the duration of AD, the current values for the counts are as follows:

- Total_count: 9 devices- Local_count: 8 devices (In this case, we assume 2 devices were installed by passing testede number because Local_count> Local_limit)

- Remote_count: 1 device

- Number of master divisions: 0.

This means that at that time no master division has ever occurred, a device has been installed remotely (for example, the second home TV set) and 8 devices have been installed locally (for example, 4 TV sets, one in main room - the master device, one in the kitchen and one in each bedroom, 1 nocar dvd player, 2 pc and a portable player). We assume that a user, Alice, wants to install a PC in her second home as well. Of course, she could install it remotely, but that would mean she would no longer be able to install remote devices after that. She thus prefers to share the master functionality between the TV set in her main living room and the one in her second home. For this purpose, it affects the following new values for contagious ceilings:

- New ceilings for master TV in main room: Total_limit = 15, Local_limit = 4, Remote_limit = 2, maximum master divisions = 2,

- Ceilings for new master in second house: To-tal_limit = 5, Local_limit = 2, Remote_limit = 0, maximum master divisions 0,

- New master room master TV counts: Total_count = 8, Local_count = 8, Remote_count = 0, Master views = 1,

- New counts for new master in second row: Total_count = 1, Local_count = 1, Remote_count = 0, Master views = 0.

With these values, Alice will be able to install up to 4 devices in her second home without any problems. It is to be noted that the second device to be installed in the second house will be installed without passing the test number, while the next will require this (because Lo-cal_limit will be reached).

Now an example of the new equilibrium will be provided. We assume that the user, Alice, has the same configuration as above (before division). Counter values are as follows:

- Total_count: 9 devices

- Local_count: 8 devices

- Remote_count: 1 device

- Number of master divisions: 0.

During a business trip, she buys a new portable player (the other from her daughter) and naturally she doesn't want to wait to return home to use her new device. She installed it thus remotely (new values for the counter are:

- Total_count: 10 devices

- Local_count: 8 devices

- Remote_count: 2 devices

- Number of master divisions; 0).

When she returns home, she connects the handheld to her home network. The master TV detects that a device has been connected and finds out which devices are locally connected on the network. It counts 9 devices (we now assume the car is in front of the house) while the current count for local devices is 8 only. The master device thus concludes that a remotely installed device is now local and decides to update the counts provided if one of the following conditions is met:

- Local_count is smaller than Local_limit or

- if Local_count is equal to or greater than Lo-cal Iimit and the number test (based on, for example, Local_count half) passes as previously explained.

In this case, Local_count is adjusted to the number of local devices currently present while Remo-te_count is adjusted to the difference between total and local (new) counts. New counts are now:

- Total_count: 10 devices

- Local_count: 9 devices

- Remote_count: 1 device

- Number of master divisions: 0.

Thanks to the new balance mechanism, Alice will still enjoy the ability to remotely install devices. Without this, Alice would have to wait for the return home to install her new portable player in order not to miss this possibility.

The advantages of the invention are as follows:

- High flexibility: A normal user is able to install mobile devices and devices in a second of the house without any restrictions,

- control over remote installation: sleepers will be limited in their ability to install devices in multiple remote locations,

- Security: The solution cannot be easily fooled.

Claims (14)

Method for controlling the number of devices (21, 22, 23, 24, 31, 41, 42, 51) installed in an Authorized Domain (1) containing at least one master device (200), said master device being capable of store ceiling values for: - the total Total_limit number of devices to be installed in the Authorized Domain, - the Local_limit total number of devices to be installed in close proximity to the master device, and - the total Remote_limit number of devices to be installed remotely from said master device, the method is characterized by the fact that it comprises steps, when the master device receives a request to install a new device, to: (502) check that Total_limit has not been reached, in case of positive verification , check (506, 510) if the new device is in local proximity with the master device and in which case it is verified that the new device is local, check (520) if the Local_limit has not been reached. Before allowing local installation, in case it is verified that the new device is remote, check (516) that Remote_limit was not reached before allowing remote installation. Method according to claim 1, characterized in that the Local_limit ceiling value is greater than the Remote_limit ceiling value. Method according to either of claims 1 or 2, characterized in that the detected value Total_limit is greater than the sum of the ceiling values Local_limit and Remote_limit. Method according to any one of claims 1 to 3, characterized in that the master device is furthermore capable of storing current values of: - the Local_count number of devices installed in the Authorized Domain in close proximity to the Master device is the Remote_count number of devices installed in the Authorized Domain remotely from said master device, the method also comprising, if it is found that the new device is local and in which case the Local_count number is equal to or greater than the Local_limit, a step of verifying that the number of devices installed in the Authorized Domain, which are connected at this time in close proximity to the master device, is greater than a predetermined number of the Local_count number, where the new device is locally installed only if said check is positive. Method according to claim 4, characterized in that the step of verifying that the number of devices installed in the Authorized Domain, and which are currently connected in close proximity to the master device, is greater than one number. The predefined Local_count comprises: broadcasting a discovery message containing an Authorized Domain identifier and a random number to all Authorized Domain devices, receiving messages from the Authorized Domain devices containing said random number and a responding device identifier, said message being protected by authentication data, check the validity of incoming messages using the authentication data, and for each valid message received from an Authorized Domain device, verify that the device that sent the valid message is in close proximity to Io-cal. master device, count the number of devices that sent messages Valid messages that are in local proximity to the master device check whether this number is greater than the local_count's predetermined number. Method according to either of claims 4 or 5, characterized in that the predetermined number of Local_count is half of Local_count. Method according to any one of claims 4 to 6, characterized in that the predetermined number is based on the total Total_count number of devices installed in the Authorized Domain instead of the Lo-cal count. Method according to any one of claims 4 to 7, characterized in that: Local_count is incremented when the new device is installed locally or Remote_count is incremented when the new device is installed remotely. . Method according to claim 8, characterized in that Local_count or Remo-count is incremented only when the new device is able to consume and / or export content. Method according to claim 9, characterized in that Local_count or Remo-te_count are incremented by one unit when the new device is able to consume and export content. Method according to one of claims 9 or 10, characterized in that when it is found that a device that has been remotely installed in the Authorized Domain is in close proximity to the master device, then Local_count is incremented while Remote_count is decremented. A method according to any one of claims 4 to 11, characterized in that said method comprises a step of dividing the master device functionality between two apparatuses, said dividing step comprising dividing the Total_limit, Local_limit, and Remote_limit ceiling values, and the current Local_count and Remote_count values are between the two master devices. A method according to claim 12, characterized in that the authorized division number of master device functionality is limited to a predetermined number. 14. Apparatus (200) containing master device functionality for controlling the number of devices (21, - 22, 23, 24, 31, 41, 42, 51) installed in an Authorized Domain (1), CHARACTERIZED by It comprises: a memory (202) capable of storing ceiling values for: - the total Total_limit number of devices to be installed in the Authorized Domain, - the Local_limit total number of devices to be installed in a local proximity with the master device and- the total number of Remote_limit devices being remotely installed from said master device, and capable of storing current values of: - the Local_count number of devices installed in the Authorized Domain in close proximity to the master device and - the Remote_count number of devices installed on Remotely Authorized Domain of said master device device (201, 203, 204) for implementing the method according to any one of claims 1 to 13 for controlling the facility. will new devices in DomínioAutorizado.